berrypod/lib/berrypod_web/plugs/verify_printful_webhook.ex

defmodule BerrypodWeb.Plugs.VerifyPrintfulWebhook do
  @moduledoc """
  Verifies Printful webhook requests using a shared secret token.

  Checks the `webhook_secret` stored in the Printful provider connection
  config against the `X-PF-Webhook-Token` header (or `token` query param
  as fallback). Can be upgraded to HMAC signature verification once the
  exact Printful signing format is confirmed.

  Expects raw body cached in conn.assigns[:raw_body] (via CacheRawBody).
  """

  import Plug.Conn
  require Logger

  alias Berrypod.Products

  def init(opts), do: opts

  def call(conn, _opts) do
    with {:ok, token} <- get_token(conn),
         {:ok, secret} <- get_webhook_secret(),
         :ok <- verify_token(token, secret) do
      conn
    else
      {:error, reason} ->
        Logger.warning("Printful webhook verification failed: #{reason}")

        conn
        |> put_resp_content_type("application/json")
        |> send_resp(401, Jason.encode!(%{error: "Invalid token"}))
        |> halt()
    end
  end

  defp get_token(conn) do
    # Check header first, then query param
    case get_req_header(conn, "x-pf-webhook-token") do
      [token] when token != "" ->
        {:ok, token}

      _ ->
        case conn.query_params["token"] || conn.params["token"] do
          token when is_binary(token) and token != "" -> {:ok, token}
          _ -> {:error, :missing_token}
        end
    end
  end

  defp get_webhook_secret do
    case Products.get_provider_connection_by_type("printful") do
      %{config: %{"webhook_secret" => secret}} when is_binary(secret) and secret != "" ->
        {:ok, secret}

      _ ->
        {:error, :no_webhook_secret}
    end
  end

  defp verify_token(token, secret) do
    if Plug.Crypto.secure_compare(token, secret) do
      :ok
    else
      {:error, :token_mismatch}
    end
  end
end
rename project from SimpleshopTheme to Berrypod All modules, configs, paths, and references updated. 836 tests pass, zero warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-18 21:23:15 +00:00			`defmodule BerrypodWeb.Plugs.VerifyPrintfulWebhook do`
add Printful webhook endpoint with token verification New POST /webhooks/printful route with VerifyPrintfulWebhook plug (shared secret token via header or query param). Handles package_shipped, order_failed, order_canceled, product_updated, product_synced, and product_deleted events. Webhook registration via Printful v2 API with token appended to URL. 19 new tests (819 total). Also marks task #28 as done — Printful sync products already include preview mockup images handled by the existing ImageDownloadWorker pipeline. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-15 09:32:14 +00:00			`@moduledoc """`
			`Verifies Printful webhook requests using a shared secret token.`

			Checks the `webhook_secret` stored in the Printful provider connection
			config against the `X-PF-Webhook-Token` header (or `token` query param
			`as fallback). Can be upgraded to HMAC signature verification once the`
			`exact Printful signing format is confirmed.`

			`Expects raw body cached in conn.assigns[:raw_body] (via CacheRawBody).`
			`"""`

			`import Plug.Conn`
			`require Logger`

rename project from SimpleshopTheme to Berrypod All modules, configs, paths, and references updated. 836 tests pass, zero warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-18 21:23:15 +00:00			`alias Berrypod.Products`
add Printful webhook endpoint with token verification New POST /webhooks/printful route with VerifyPrintfulWebhook plug (shared secret token via header or query param). Handles package_shipped, order_failed, order_canceled, product_updated, product_synced, and product_deleted events. Webhook registration via Printful v2 API with token appended to URL. 19 new tests (819 total). Also marks task #28 as done — Printful sync products already include preview mockup images handled by the existing ImageDownloadWorker pipeline. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-15 09:32:14 +00:00
			`def init(opts), do: opts`

			`def call(conn, _opts) do`
			`with {:ok, token} <- get_token(conn),`
			`{:ok, secret} <- get_webhook_secret(),`
			`:ok <- verify_token(token, secret) do`
			`conn`
			`else`
			`{:error, reason} ->`
			`Logger.warning("Printful webhook verification failed: #{reason}")`

			`conn`
			`\|> put_resp_content_type("application/json")`
			`\|> send_resp(401, Jason.encode!(%{error: "Invalid token"}))`
			`\|> halt()`
			`end`
			`end`

			`defp get_token(conn) do`
			`# Check header first, then query param`
			`case get_req_header(conn, "x-pf-webhook-token") do`
			`[token] when token != "" ->`
			`{:ok, token}`

			`_ ->`
			`case conn.query_params["token"] \|\| conn.params["token"] do`
			`token when is_binary(token) and token != "" -> {:ok, token}`
			`_ -> {:error, :missing_token}`
			`end`
			`end`
			`end`

			`defp get_webhook_secret do`
			`case Products.get_provider_connection_by_type("printful") do`
			`%{config: %{"webhook_secret" => secret}} when is_binary(secret) and secret != "" ->`
			`{:ok, secret}`

			`_ ->`
			`{:error, :no_webhook_secret}`
			`end`
			`end`

			`defp verify_token(token, secret) do`
			`if Plug.Crypto.secure_compare(token, secret) do`
			`:ok`
			`else`
			`{:error, :token_mismatch}`
			`end`
			`end`
			`end`